Kerio Tech Firewall6 User Manual
Page 76
Chapter 7
Traffic Policy
76
Figure 7.9
Traffic rule — source address definition
Warning
If either the source or the destination computer is specified by DNS name, WinRoute
tries to identify its IP address while processing a corresponding traffic rule.
If no corresponding record is found in the cache, the DNS forwarder forwards the
query to the Internet. If the connection is realized by a dial-up which is currently hung-
up, the query will be sent after the line is dialed. The corresponding rule is disabled
unless IP address is resolved from the DNS name. Under certain circumstances denied
traffic can be let through while the denial rule is disabled (such connection will be
closed immediately when the rule is enabled again).
For the reasons mentioned above we recommend you to specify source and destination
computers only through IP addresses in case that you are connected to the Internet
through a dial-up!
•
IP range — e.g. 192.168.1.10—192.168.1.20
•
IP address group — a group of addresses defined in WinRoute (refer to chapter
•
Subnet with mask — subnet defined by network address and mask
(e.g. 192.168.1.0/255.255.255.0)
•
Network connected to interface — selection of the interface or a group of interfaces
from which the packet comes in (Source) or via which they are sent out (Destination).
Groups of interfaces allow creation of more general rules independent from any partic-
ular network configuration (e.g. it is not necessary to change such rules when Internet
connection is changed or when a new LAN segment is added). It is recommended to
define traffic rules associated with groups of interfaces wherever possible. For details
on network interfaces and groups of interfaces, see chapter